Test 2

What are the three primary tools basic to the security development life cycle?. Fuzzing or fuzz testing. Static analysis testing. Dynamic analysis testing. Measurement model. Software security architects.

In which phase of the SDLC should the software security team be involved?. Planning. Support & Design. Design and Development. Release and Launch. Concept.

Which business function of OpenSAMM is associated with deployment?. Vulnerability management. Security Assesment. Threat Assessment. Code Review.

What is the product risk profile?. A security assessment deliverable that estimates the actual cost of the product. A security assessment of vulnerabilities. A security model associated the costs of the business aspect of vulnerabilities. A cost reduction model.

What determines the order of items in a product backlog in Scrum?. Order is decided by the Scrum Team. Order is decided by the ScrumMaster. Order is decided by the project manager. Order is decided based on value of the items being delivered.

Order is decided based on the value of the item/requirement in the backlog as it helps business when the item is done and business can start using it. The Product Owner decides the order of items in the backlog. When a project is smaller, it can easily be turned back upwards after the coding phase is complete. When a project is smaller, the risk of changing requirements and scope is lower. When a project is smaller, it doesn't need any time for reflection. When a project is smaller, there is an emphasis on empowering teams with collaborative decision-making.

When a project is smaller, there is an emphasis on empowering teams with collaborative decision-making. Quality code. Secure code. Information security. Integrity. Availability.

What ensures that the user has the appropriate role and privilege to view data?. Authentication. Multi-factor authentication. Encryption. Information security. Authorization.

Which security goal is defined by "guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity"?. Integrity. Quality. Availability. Reliability.

Which phase in an SDLC helps to define the problem and scope of any existing systems and determine the objectives of new systems?. Requirements. Design. Planning. Testing.

What happens during a dynamic code review?. Programmers monitor system memory, functional behavior, response times, and overall performance. Customers perform tests to check software meets requirements. An analysis of computer programs without executing them is performed. Input fields are supplied with unexpected input and tested.

How should you store your application user credentials in your application database?. Use application logic to encrypt credentials. Store credentials as clear text. Store credentials using Base 64 encoded. Store credentials using salted hashes.

Which software methodology resembles an assembly-line approach?. Iterative model. Waterfall model. V-model. Agile model.

In Scrum methodology, who is responsible for making decisions on the requirements?. Scrum Team. Product Owner. ScrumMaster. Technical Lead.

ISO/EIC is a joint committee that develops and maintains standards in the IT industry. is an international code of practice for information security management. This section defines confidentiality, integrity and availability controls. ISO 50001 Energy Management. ISO/IEC 27018 Cloud Privacy. ISO/IEC 17799. ISO 31000 Risk Management.

A standard that provides guidance to help organizations embed security within their processes that help secure applications running in the environment, including application lifecycle processes. ISO/IEC 27034. ISO/IEC 29100 Privacy Framework. ISO 45001 Occupational Health and Safety. ISO/IEC 27002 Security Controls.

A standard that provides guidance to help organizations embed security within their processes that help secure applications running in the environment, including application lifecycle processes. ISO 45001 Occupational Health And safety. ISO/IEC 27034. ISO/IEC 27002 Security Controls. ISO/IEC 29100 Privacy Framework.

offers a roadmap and a well-defined maturity model for secure software development and deployment, along with useful tools for self-assessment and planning.

Governance Construction Verification Deployment.

Source code of an application is reviewed manually or with automatic tools without running the code.

Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation.

Open-source web application security scanner -Can be used as a proxy to manipulate traffic running through it (even https).

a sequential, activity-based process in which each phase in the SDLC is performed sequentially from planning through implementation and maintenance. Incremental Methodology. rup methodology. Waterfall Methdology. Agile Methodology.

Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system.

ISO/EIC is a joint committee that develops and maintains standards in the IT industry. is an international code of practice for information security management. This section defines confidentiality, integrity and availability controls.

an agile project management framework that helps teams structure and manage their work through a set of values, principles, and practices. Sprint. Bucket. Scrum. SDLC.

daily time-boxed event of 15 minutes, or less, for the Development Team to re-plan the next day of development work during a Sprint. Updates are reflected in the Sprint Backlog. Gray-Box. Daily Scrum. White-Box. Black-Box.

A meeting that occurs after each sprint to show the product or process to stakeholders for approval and to receive feedback. Sprint Retrospective. Sprint Retroactive. Sprint Planning. Sprint Review.

Identify security objectives Survey the application Decompose it Identify threats Identify Vulnerabilities. Process of Attack Simulation. Waterfall Methodology. Sprint Review. Threat Modeling Steps.

A meeting that occurs after each sprint to show the product or process to stakeholders for approval and to receive feedback. Sprint Planning. Sprint Review. Sprint Retroactive. Sprint Retrospective.

A collaborative event in Scrum in which the Scrum team plans the work for the current sprint. Sprint Review. Release Planning. Sprint Testing. Sprint Planning.

A meeting that occurs after each sprint to show the product or process to stakeholders for approval and to receive feedback. Sprint Retrospective. Sprint Review. Sprint Planning. Sprint Retroactive.

A collaborative event in Scrum in which the Scrum team plans the work for the current sprint. Sprint Review. Sprint Planning. Release Planning. Sprint Testing.

A meeting that occurs after each sprint to show the product or process to stakeholders for approval and to receive feedback. Sprint Retroactive. Sprint retrospective. Sprint Review. Sprint Planning.

a developer with an interest in security who helps amplify the security message at the team level.

a sequential, activity-based process in which each phase in the SDLC is performed sequentially from planning through implementation and maintenance.

A software development methodology that delivers functionality in rapid iterations, measured in weeks, requiring frequent communication, development, testing, and delivery.

an agile project management framework that helps teams structure and manage their work through a set of values, principles, and practices.

a developer with an interest in security who helps amplify the security message at the team level.

An opportunity for the Scrum Team to inspect itself and create a plan for improvements to be enacted during the next Sprint.

A collaborative event in Scrum in which the Scrum team plans the work for the current sprint.

Identify security objectives Survey the application Decompose it Identify threats Identify Vulnerabilities.

New standard for managing traffic and sessions. Database Security. Personal Security. Physical Security. Communication Security.

an opportunity for the Scrum Team to inspect itself and create a plan for improvements to be enacted during the next Sprint.

Identify security objectives Survey the application Decompose it Identify threats Identify Vulnerabilities.

What are the components of the DREAD model?. Risk Assessment. Affected Users. Discoverability. Threat Modeling. Exploitability. Reproducibility. Vulnerability Analysis. Damage Potential.

Define the Objectives Define the Technical Scope Decompose the Application Analyze the Threats Vulnerability Analysis Attack Analysis Risk and Impact Analysis.

New standard for managing traffic and sessions.

a design feature or practice that, in the event of a specific type of failure, inherently responds in a way that will cause minimal or no harm to other equipment, to the environment or to people.

hp analysis. dynamic analysis. static tool. source code analysis. sentinel source.

hp web inspect. Random data brute force peach tool. gray box. Dynamic tool. White box testing.

qa inspect. Random data brute force peach. Dynamic tool. Hp analysis. gray box.

hp analysis. source code analysis. static tool. Sentinel source. Dynamic analysis.

ibm appcscan. Dynamic Tool. Gray box. Hp Analysis. Random Data brute force tool.

provide progress against privacy requirements provided in earlier stages and assess any changes to identify & add any new requirements.

veracode. both the source code and binary are known. meets business need. random data brute force tool. dynamic tool.

Whitehat. dynamic tool. meets business need. gray box. random data brute force tool.

Sentinel Source. Dynamic Tool. Gray box. both the source code and binary are known. random data brute force tool.

Security, privacy and compliance. Functional. Non functional. Client. Dynamic.

Software team creates. Code review checklist for quality assurance. SDL protect plan to achieve non functional goal. Agile framework to enhance team collaboration. Waterfall model for project management.

software team creates.

White box testing. Byte code analysis. Static analysis. Source code analysis. Attack surface Analysis.

Both the source code and binary are known. White box testing. Gray box testing. Black box testing. Blue box testing.

Old, default, elevated, anonymous, network, assembly, can't explain. Sprint Planning. Dynamic Code analysis uses. Threat modeling Steps. HIT LIST FOR CODE.

Monitor, detect, contain, stabilize, analyze, learn, feedback. Security steps. Change Management Process. Code Review Process. Non Functional.

Governance, Construction, Verification, Deployment. OWASP open samm. Bucket. Ibm appscan. Sentinel source.

Real world threats: strategic critical, tactical surgical, user-specific normal. What is a Software Security Champion. type of threats and what they affect. What are the major phases of the SDLC. Top 4 programming Errors.

change management process, PSIRT post release incident response team especially zero day CVSS, Public disclosures.

What are the major phases of the SDLC.

What is a Software Security Champion.

request, impact analysis, approve/deny, implement, review.

What should privacy impact assesment include?.

How does a programmer use Data Flow Diagram flow diagrams in developing software?.

two or more independent security people look over the code for bugs.

two or more independent security people look over the code for bugs.

likelihood and impact.

Analysis and testing of a program occurs while it is being executed or run. Dynamic Analysis. State Analysis. Virtual Analysis. Static Analysis.

white box testing. Attack surface analysis. Static Analysis. Byte Code Analysis. Source Code Analysis.

A testing technique in which the internal workings of the software are not known to the tester. Gray-box. Both Black-box And Glass-box. White-box. Black-box.

A software development methodology that delivers functionality in rapid iterations, measured in weeks, requiring frequent communication, development, testing, and delivery. Iterative Development. Agile Development. Waterfall Development. Waterfall Model.

-Open-source web application security scanner -Can be used as a proxy to manipulate traffic running through it (even HTTPS). OWASP ZAP. Fuzzing. Post release support. Sprint Review.

A standard that provides guidance to help organizations embed security within their processes that help secure applications running in the environment, including application lifecycle processes. ISO/IEC 29100 Privacy Framework. ISO/IEC 27034. ISO/IEC 27002 Security Controls. ISO 45001 Occupational Health and Safety.

What should a Privacy Impact Assessment include?. A privacy impact assessment (PIA) is an analysis of how personally identifiable information (PII) is handled to ensure compliance with appropriate regulations, determine the privacy risks associated with information systems or activities, and evaluate ways to reduce the privacy risks. planning, analysis, design, development, testing, implementation, and maintenance. A study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time. a developer with an interest in security who helps amplify the security message at the team level.

A collaborative event in Scrum in which the Scrum team plans the work for the current sprint. Sprint Review. Sprint Planning. Release planning. Sprint Testing.